期刊名称:Journal of Theoretical and Applied Information Technology
印刷版ISSN:1992-8645
电子版ISSN:1817-3195
出版年度:2018
卷号:96
期号:14
出版社:Journal of Theoretical and Applied
摘要:The Secure Development Life Cycle (SDLC) of web applications aims to enhance the quality attributes of released applications. Security is among of the important attributes during the penetration testing phase. Web Application Vulnerability Scanners (WAVS) help the developers to identify existing vulnerabilities that could compromise the security and privacy of data exchanged between the client and web server during the development and deployment phases. WAVS are used during the deployment phase to continuously evaluate the security of web applications by checking for possible vulnerabilities that can threaten the client services. This paper evaluates the effectiveness and accuracy of five WAVSs (Acunetix WVS, Burp Suite, NetSparker, Nessus and OWASP ZAP) to identify possible vulnerabilities of web applications. The selected scanners are among the top ten recommended web vulnerability scanning software for 2017. The method of black box testing was adopted to evaluate the five WAVSs against seven vulnerable web applications. The evaluation is based on different measures such as the vulnerabilities severity level, types of detected vulnerabilities, numbers of false positive vulnerabilities and the accuracy of each scanner. The evaluation is conducted based on an extracted list of vulnerabilities from OWASP and NIST. The accuracy of each scanner was measured based on the identification of true and false positives. The results show that Acunetix and NetSparker had the best accuracy with the lowest rate of false positives.
